PSDK

Public Safety Discovery Key

Security →
Introduced in Rel-13

PSDK is a security key used in Proximity Services to secure the discovery process, ensuring only authorized public safety user equipment can discover each other in off-network scenarios.

Category
Security
Introduced
Rel-13
Where
Services
Specifications
3 specs
PSDK Description Purpose Related Classification Detected Changes Specifications

Description

The Public Safety Discovery Key (PSDK) is a cryptographic key defined within the 3GPP security architecture for Proximity Services (ProSe), specifically tailored for public safety use cases. It is a crucial element in the ProSe Direct Discovery security framework, ensuring that discovery messages are authenticated and integrity-protected, preventing unauthorized devices from discovering or impersonating public safety personnel. The PSDK is derived and managed within the secure environment of the Universal Integrated Circuit Card (UICC) or embedded SIM (eSIM).

The PSDK's primary function is to secure the ProSe Restricted Code used in restricted discovery for public safety. In restricted discovery, a discovering UE needs to prove it is authorized to discover a specific target UE or group. The PSDK is used to generate and verify a message authentication code (MAC) for discovery messages. The process involves the ProSe Function in the network, which provisions authorized public safety UEs with necessary keying material and policies. The PSDK itself is not transmitted over the air; instead, derived keys or tokens generated using the PSDK are used in the discovery signaling.

Architecturally, the PSDK is part of a key hierarchy. It may be derived from a root key shared with the ProSe Function. The UE's ProSe Protocol uses this key, accessed securely from the UICC via the USIM application, to perform cryptographic operations. The security procedures ensure that even if discovery messages are broadcast openly, only UEs possessing the corresponding PSDK (or a derived key) can correctly process them to identify an authorized peer. This mechanism is vital for operations in infrastructure-less environments where traditional network authentication is unavailable.

Purpose & Motivation

The PSDK was introduced to address critical security requirements for public safety ProSe, particularly for direct discovery and communication when cellular network infrastructure is unavailable, compromised, or congested. Prior security mechanisms were entirely network-centric, relying on continuous interaction with core network entities for authentication and key agreement. This approach fails in the very scenarios public safety operations often encounter: disasters, remote areas, or network outages.

The motivation stemmed from the need for secure, direct device-to-device discovery among first responders. Without the PSDK, discovery messages could be intercepted or spoofed, allowing malicious actors to locate emergency personnel or impersonate them, leading to operational failure or danger. The PSDK enables a security model that works independently of the network's immediate availability. It allows pre-provisioned security relationships and policies, ensuring that discovery is restricted to authorized parties only, maintaining confidentiality of the public safety team's presence and integrity of the discovery process, which is foundational for establishing subsequent secure sidelink communication channels.

Classification

Part ofProSe
Related approachesUSIMUE

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (400 CRs across 5 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Studied in Rel-13, normative work from Rel-15.

Rel-15 6 changes

In Release 15, the PSDK function was newly introduced as part of the specifications for 5G ProSe direct discovery and communication over the PC5 interface. The release defined the associated procedures for 5G ProSe service authorization and direct discovery between the UE and the Direct Discovery Name Management Function (DDNMF) over the PC3a interface. This established the foundational security and protocol framework for proximity-based public safety services in the 5G System.

  • USIM Service Table update for PDU session call control support TS 31.102CR0786
  • Allow configuration of MCS (Access Identity 2) via USIM. TS 31.102CR0794
  • Mission Critical Services configuration data update to USIM TS 31.102CR0808
  • Enhance USIM OPL configuration to support 3 bytes TAC when in NG-RAN. TS 31.102CR0818
  • Updates to USIM management procedures for 5GS TS 31.102CR0806
  • Clarification about presence of EFIMSConfigData in ISIM and USIM TS 31.102CR0833
Rel-16 11 changes

In Release 16, the new PSDK function introduced the ability for the USIM to configure a "PS Data Off list" for both home and roaming scenarios. This allowed for network-controlled management of public safety data services directly via the SIM card. Additionally, the release specified the storage for a potentially separate KSEAF for non-3GPP access on the USIM, enhancing security key management for non-3GPP connectivity.

  • Support for USIM configuration of RLOS PLMN list TS 31.102CR0847
  • URSP storage in USIM TS 31.102CR0861
  • Specify storage for a potentially separate KSEAF for non-3gpp access on the USIM TS 31.102CR0864
  • USIM configuration of RLOS allowed MCC list TS 31.102CR0881
  • Support for Trusted non-3GPP access networks list by USIM TS 31.102CR0891
  • Dedicated AID for USIM Applications with non-IMSI based SUPI Types TS 31.102CR0897

+ 5 more changes

Rel-17 95 changes

In Release 17, the PSDK function was enhanced to support the security requirements for 5G ProSe UE-to-network relay discovery and communication. This included introducing new procedures such as the ProSe remote user key procedure and the security parameters request procedure for the PC8 interface. Additionally, a validity timer for discovery security parameters was introduced, and the security mode control and re-keying procedures for the 5G ProSe direct link were updated to incorporate elements like the GBA Push Info (GPI) and the 5GPRUK ID.

  • ProSe remote user key procedure TS 24.554CR0007
  • 5G ProSe UE-to-network relay discovery security parameters request procedure for PC8 interface TS 24.554CR0012
  • Add target user ID in relay discovery solicitation message TS 24.554CR0028
  • ProSe application traffic descriptor introduction TS 24.554CR0041
  • Resolving the EN related to possible changes to the 5G ProSe direct link re-keying procedure due to the security requirements of UE-to-network relay TS 24.554CR0063
  • Resolving the EN related to possible changes to the 5G ProSe direct link security mode control procedure due to the security requirements of UE-to-network relay TS 24.554CR0065

+ 89 more changes

Rel-18 146 changes

In Release 18, the enhancements for the Public Safety Discovery Key function primarily focused on enabling and refining 5G ProSe UE-to-UE relay operations over the PC5 interface. This included the introduction of specific procedures for U2U relay discovery using both Model A and Model B, as well as detailed procedures for 5G ProSe direct link establishment, modification, and release tailored for the UE-to-UE relay case. Furthermore, the release defined updates for handling link identifier updates via a relay UE and introduced capabilities for path switching between direct and indirect communication paths via a UE-to-Network relay.

  • 5G ProSe U2U relay unicast direct communication over PC5 TS 24.554CR0232
  • Updating the UE-requested ProSeP provisioning procedure to consider the 5G ProSe UE-to-UE relay case TS 24.554CR0279
  • Configuration parameter for 5G ProSe UE-to-UE relay TS 24.554CR0244
  • 5G ProSe U2U relay discovery over PC5 interface with model A TS 24.554CR0229
  • 5G ProSe U2U relay discovery over PC5 interface with model B TS 24.554CR0230
  • Using the 5G ProSe direct link modification procedure for UE-to-UE relay TS 24.554CR0273

+ 140 more changes

Rel-19 142 changes

In Release 19, the key enhancement for the Public Safety Discovery Key (PSDK) function was the extension of 5G ProSe (Proximity-based Services) to support Standalone Non-Public Networks (SNPN). This included updates to procedures such as the 5G ProSe Discoverer request, UE-to-network relay selection, and announce request procedures for restricted discovery to operate within SNPN environments. Furthermore, the release introduced foundational support for 5G ProSe multi-hop communications, defining new relay types like the intermediate parent and child UE-to-network relay to enable extended relay chains.

  • Update on 5G ProSe Discoverer request procedure to support 5G ProSe in SNPN TS 24.554CR0634
  • Update on UE-to-network relay selection procedure to support 5G ProSe in SNPN TS 24.554CR0637
  • Update on QoS handling for 5G ProSe layer-3 UE-to-network relay with N3IWF to support 5G ProSe in SNPN TS 24.554CR0639
  • Update on 5G ProSe configuration information to support 5G ProSe in SNPN TS 24.554CR0643
  • Updating 5G ProSe direct link management procedures for SNPN TS 24.554CR0668
  • Update on announce request procedure for restricted 5G ProSe direct discovery model A to support 5G ProSe in SNPN TS 24.554CR0645

+ 136 more changes

Explore further

Broader topics and technologies where PSDK plays a role.

Topics
SON (Self-Organizing Networks)Authentication (5G-AKA, EAP)Encryption & IntegrityMEC (Edge Computing)Emergency ServicesLawful Intercept

Defining Specifications

3GPP specifications that define or reference PSDK, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.554 vj40 5G Proximity Services (ProSe) Protocols Rel-19
TS 31.102 vj40 USIM Application Specification Rel-19
TS 33.303 vj00 ProSe Security Specification for EPS Rel-19